Local Administrator Password Solution or LAPs will provide a solution to the issue of using a common local account with an identical password on every Windows computer in a domain, by setting up a random, different password for the common local administrator account on every computer in the domain.
Local Administrator Password Solution
The Local Administrator Password Solution (LAPS) provides management of local account passwords of domain-joined computers. Passwords are stored in Active Directory (AD) and protected by ACL, so only eligible users can read it or request its reset.
This solution automatically manages local administrator passwords on domain-joined computers, so that the password is:
- Unique on each managed computer
- Randomly generated
- Securely stored in AD infrastructure.
Its features include:
Security:
- Random password that changes automatically regularly
- Password is protected during the transport via Kerberos encryption
- Password is protected in AD by AD ACL
- Effective mitigation of Pass-the-hash attack
Manageability:
- Configurable password parameters: age, complexity, length
- Ability to force password reset
- Security model integrated with AD ACLs
- End use UI can be any AD management tools of choice,
- PowerShell and Fat client are provided
- Protection against computer account deletion
- Easy implementation and minimal footprint
Extensibility:
- Additional encryption of password stored in AD
- Password history
- Web UI.
Domain administrators who use this solution can determine which users, such as helpdesk administrators, are authorized to read passwords.
Once you have downloaded the zip file for your system, viz. 32-bit or 64-bit, from Microsoft Download Center, extract them from the Installers.zip to a folder. There will be two files, AdmPwd.Setup.x64.msi and AdmPwd.Setup.x86.msi. You may also want to download the LAPS Datasheet, Operations Guide and Technical Specifications documents, as it gives a lot of information on how to use them too.
